Re: I'm trying to move fields from multi value fie...

praneeth2050 · ‎01-14-2020

time = 9:30
10:30
11:30
Currently I am doing this
| eval first.time=mvindex(time, 1), second.time=mvindex(time, 2), third.time=mvindex(time, 3)

This will give me first.time = 9:30, second.time= 10:30, third.time=11:30 fields moved from time field where it is a multivalued field. If i have undefined number of fields under this what should I do to automate it? instead of hardcoding it like | eval first.time=mvindex(time, 1), second.time=mvindex(time, 2), third.time=mvindex(time, 3) fourth.time=mvindex(time,4)............hundred.time=mvindex(time,100)

to4kawa · ‎01-15-2020

| makeresults count=100
| streamstats current=f count
| eval time = (random() % 23).":30"
| stats list(time) as time
`comment("this is sample data, please check this")`
| eval counter=mvrange(0,mvcount(time))
| stats list(time) as time by counter
| eval time=mvindex(time,counter)
| sort 0 counter
| transpose 0 header_field=counter column_name=_col
| foreach *
    [rename <<FIELD>> as time_<<MATCHSTR>>]

Hi, @praneeth2050
It's a boring name, but it works.

jpolvino · ‎01-14-2020

What is the problem are you trying to solve? Creating many fields like this is rarely a good idea.

praneeth2050 · ‎01-15-2020

@niketnilay is it possible to help me out here?

praneeth2050 · ‎01-14-2020

So, I am trying to create a Splunk report with the changes in time and changes in other fields. The data I receive will have multiple time fields. For now i have only 3 time fields. In the future, I may even have 10 or 20-time fields... In the case of hardcoding using mvindex is there any alternative?

PS: I have extracted this multivalued field using REGEX

I'm trying to move fields from multi value fields using mvindex. Currently under "time" field I have only 3 values so i am easily moving them as new field. Is there anyway to automate this process without hard coding it?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life